Firewalls and Cryptography

Then scripting viruses will get more important again.

Yours, VB.

You're still wrong, because a virus may very well do its "dirty work" without being spotted by a user if it keeps a low profile (i.e. doesn't interfere with the user's day-to-day work). And unless a signature is created for it the virus still remains new to anyone else despite being spotted by a user.

cu

59cobalt

His claim that no antivirus measure could defend against unknown viruses. This is wrong, as shown by counterexample. This is however true if you limit antivirus measures to virus scanners.

My follow-up comment explicit gave a counter-example to your flawed argument. Virus scanners, as implemented by this firewall's traffic inspection and filter module, or firewalls generally aren't and protection against viruses, but filters at best. But that doesn't mean that there are no other kinds of measures that provide complete protection.

Code red worm is a memory resident worm that doesnt write to the file system.Why would you say a virus scanner that searchs ram is useless? me

Not having a net connection or runnning any introduced media such as cd or floopies will also accomplish this. me

Sebastian Gottschalk wrote: : His claim that no antivirus measure could defend against unknown viruses. : This is wrong, as shown by counterexample. This is however true if you : limit antivirus measures to virus scanners.

There exist a few security applications that can find threats by executing them in a virtual machine and analyzing their behaviour. This will of course not give the ultimate performance compared to other solutions, but they will detect and defend against a number of threats that there exists no signatures for. These applications will however not give 100% protection as they will only monitor the virtual machine to a certain level (can't let the program run forever in there before determining if the program is ok or not).

I know Finjan had such a product that would analyze Java code while running in a special VM that would analyze it (Finjan Surfingate). It seems that they now have a somehow similar solution for web+spyware.

Another product that I've had the opportunity to look inside is the Norman Sandbox 's a virtual machine running a win32 environment where many common applications are installed. It loads a given application inside this VM and records what it does. Everything is weighted and if it reaches a predefined value after doing several suspicious things, execution is stopped and it's flagged as a possible virus. And no, I'm not working for Norman or even using it. I was just technically impressed when shown it's inner workings. It's also possible to submit programs through the web and receive a report through email. Look here to get an idea of how it works: Lars

The correct word is "guess".

Wonderful. Why not implement a trivial 100% solution?

Yeah, well-known snake-oil.

Spyware has no solution. It's a user-inducted problem.

It's a virtual machine running a win32 environment where many common applications

Yeah, as if malware would care. Did you ever analyze a recent piece of malware? It does thousand of things just to place few specific data in a certain location purely by (largely undocumented) side effects. Behaviour analysis on the run? Has been rendered ineffective some years ago!

Sebastian Gottschalk wrote: : > : > There exist a few security applications that can find threats by : > executing them in a virtual machine and analyzing their behaviour.

: The correct word is "guess".

Well. As it's monitoring an application as it executes I guess the word "guess" is a bit inpresise.

: Wonderful. Why not implement a trivial 100% solution?

Because malware are aware of this and some are trying to use just "good" behaviour before starting doing it's malware business. It's also unknown if the red pill works inside the sandbox, but if it does, some malware can be able to detect that it's running in a virtual machine and perhaps don't do anything wrong as it's executed in such an environment to fool this kind of technology.

: Yeah, as if malware would care. : Did you ever analyze a recent piece of malware? It does thousand of things : just to place few specific data in a certain location purely by (largely : undocumented) side effects.

No, I havent analyzed anything just lately, but I've tried a few ones earlier. Why don't you submit a recent one and tell us what you can find?

: Behaviour analysis on the run? Has been rendered ineffective some years : ago!

I guess no single technology is perfect. But I believe this kind of application has it's place in the hierarchy. Or do you have a better solution? Maybe an ideal world free of malware and stupid users? ;-)

Lars